Register today for Zero Trust World 2026!
Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
Restrict Microsoft 365 access to a specific IP address using Conditional Access
March 4, 2026

Restrict Microsoft 365 access to a specific IP address using Conditional Access

Written by:

Table of contents

Text Link

Access to Microsoft 365 plays a key role in the day-to-day operations of many organizations. Unfortunately, developing cybercriminal capabilities have rendered that role a point of potential vulnerability, with vital data is held outside of your immediate network.

Threat actors can turn these external access pathways against your organization, even using additional security measures like multi-factor authentication as a way to steal credentials. So, it’s important that those access conditions are clearly defined and enforced with a granular Zero Trust approach.

This guide explains how you can do just that with ThreatLocker, restricting Microsoft 365 access, so users can only sign in from a specific public IP address by creating a named location and enforcing it with a Conditional Access policy.

Prerequisites

Before you begin, ensure you have the following:

  • Microsoft Entra ID (Azure AD) Premium P1 or P2 license
  • Global Administrator or Conditional Access Administrator permissions
  • The public IP address you want to allow access from (example: 10.1.1.1)

Step 1: Create a named location

  1. Sign in to the Microsoft Entra Admin Center
    https://entra.microsoft.com
  2. Navigate to:
    Protection → Conditional Access → Named locations
  3. Click + IP ranges location
  4. Configure the location:
    1. Name: Allowed Office Location
    2. IP ranges: 10.1.1.1
    3. Check Mark as trusted location (optional but recommended)
  5. Click Create

The named location will now represent the trusted IP address.

Step 2: Create a Conditional Access Policy

  1. In the Microsoft Entra Admin Center, go to:
    Protection → Conditional Access → Policies
  2. Click + New policy
  3. Enter a Policy Name:
    Restrict Microsoft 365 Access to Approved IP

Step 3: Configure Users or Groups

  1. Under Assignments → Users
  2. Select the users or groups that should be restricted.

Recommended options:

  • All users (recommended for full enforcement)
    OR
  • Specific user groups

Tip: Exclude at least one emergency admin account to avoid accidental lockout.

Step 4: Select target applications

  1. Under Assignments → Target resources
  2. Select All cloud apps

This ensures the policy applies to all Microsoft 365 services.

Step 5: Configure location conditions

  1. Under Conditions → Locations
  2. Set Configure to Yes
  3. Under Include
    1. Select Any location
  4. Under Exclude
    1. Select Selected locations
    2. Choose the Named Location created earlier (Allowed Office Location)

This configuration means:

  • Any login not from the allowed IP will trigger the policy.

Step 6: Configure access controls

  1. Go to Access controls → Grant
  2. Select:
  • Block access
  1. Click Select

This blocks sign-ins from any location that is not the trusted IP address.

Step 7: Enable the policy

  1. Under Enable policy, choose:
  • On (or Report-only for testing)
  1. Click Create

No items found.

start Your path to stronger defenses

Get a trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information